Hey You, the Australian coffee and food delivery app, functioning like Uber Eats but for cafes, appeared to leak customer data on Thursday morning.
Gizmodo Australia learned on Thursday morning (courtesy of Alex Kidman and a tipster known as Amy) that, when logging into the Hey You app, users could randomly be logged into the wrong accounts.
Appearing to be logged into another person’s account during the vulnerability on Thursday morning gave the user access to the person’s private information as saved. It raises troubling privacy issues in a year of pretty big data breaches.
Gizmodo Australia was able to confirm with three Hey You users (including users in Pedestrian Group’s office) that, when logging in, they were able to see other users’ information as if it were their own and change it. However, it didn’t appear to be an issue for all users, with some simply being sent to their own correct accounts. Users couldn’t order coffee on the account holder’s behalf.
One user said that customer data kept refreshing and switching to other people’s profiles every couple of seconds, switching users’ favourite orders and restaurants. Another user said that, in the space of 10 minutes, they must have seen the user information of between 10 and 15 people. Instagram users commenting on Hey You’s most recent post also reported the same issue.
Hey You provided Gizmodo Australia with the following comment:
“On Thursday 7 December 2023 at 7:15am, Hey You became aware of a technical incident which allowed some customers to access basic profile information of another Hey You user.
We know that the profiles of approximately 1042 customers were affected, and that the incident was a result of a software upgrade and subsequent caching issue. We are continuing our investigation and if your account was affected we will contact you directly.
After verifying the nature of the incident and risk, Hey You immediately locked down access and rectified the issue. This was completed within 1hr 30 mins, by 8.45am this morning.
The profile data potentially accessed by another was restricted to the following information:
• First name
• Last name
• Email address
• Telephone number (not mandatory)
• Profile image (not mandatory)
• Favourite orders and places (if ordered recently)Due to the nature of the data potentially accessed, there is limited risk of fraudulent activity for those affected. We can also confirm that no other data has been compromised – for example, no personal addresses, financial, order history or payment details were accessible. At no time could an affected customer order or make payments using another customer’s profile.
As mentioned, all of the individuals affected will be sent an email, which details the level of information that was accessed. We are also now working hard to put measures in place to ensure that an incident of this nature does not happen again.
We are deeply disappointed that this has occurred and apologise to those affected. Please note this was caused by a software release, and not an external event.
Any customers or clients concerned about the issue can contact us at support@heyyou.com.au.“
I’m a Hey You customer. Should I be concerned? What can I do?
Leaks like these are naturally concerning, because through no fault of your own your own personal information may have been compromised.
Still, while being concerned is wise, panicking is not. This is more generic advice because the full scope and impact of the problem aren’t yet clear, but if you’re concerned that your information was at risk, log into the app to check if your details are still correct. Some users have only been able to see their own details, but if miscreants have adjusted them, you should be able to see this – and fix it.
Obviously, if something like this ever occurs again, no matter if it’s a coffee-ordering app or something else, just log out of the user’s account and leave them alone.
Image: Hey You/iStock
This article has been updated since it was originally published.